I am trying to log every time files in a specific folder are actually opened, but I am having troubles. I have Object Access Auditing for success and failure turned on in the local computer policy. I enabled auditing of the specific folder with advanced security settings and I get great 4663 events for deleting and writedata events, but I don't see any way of getting accurate events for when a file is actually opened. I can enable "list folder/read data", "read attributes", or "read permissions" which all will trigger when a file is opened - but all of these also trigger when the files are not opened as well(such as just opening a folder I get a read permissions trigger for every file in the folder, or if I highlight a file it will trigger the read attributes and the read data events for that file). I don't want the event to trigger when I can just see the file or highlight it, I need to know when the file is opened (eg a spreadsheet opened with excel, a txt file opened with notepad, etc.).

That video was very helpful, thanks. By any chance can you demonstrate the "file read" auditing? I am having a very hard time finding a way to audit when a user actually opens a file because there is no way to accomplish this with regular windows file auditing, I can audit read permissions or read attributes but they show that permissions and attributes are being read on files which aren't actually opened.

Yeah, that's a limit of Windows, I'm afraid. Even FIM will get flooded with the attribute and property "reads" because Windows makes no distinction between actually opening a file and just getting properties on the file.

Darn, so it looks like there is no way to log when a file is opened and know for sure that the file was opened. I would settle for the "traverse folder" events but those don't even happen when folders are traversed most of the time.

Actions

More Like This

Incoming Links

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 130,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining.

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website,
you consent to our use of cookies. For more information on cookies, see our cookie policy.